After nearly 20 years of security news this service is discontinued. Some reasons are the very high number of vulnerabilities combined with automatically updating systems. So the necessity of this service is depreciated. We hope that you understand this decision. Please visit us also at http://www.tufin.club!

Most of the links lead to the corresponding files at CERT or
other organisations. So changes take place immediately,
especially which patches should be installed or which changes
in the configuration should be made to avoid this vulnerability.
Some of the files are transferred by FTP.

By the way: If we're not publishing well-known risks
inheritant in any widely used platform or program that
doesn't mean this particular platform or program is safe
to use!

It was detected that several firewall, caching and antivirus proxy software doesn't
enough restrict the HTTP/CONNECT feature. Looks like on some software this
can't be restricted by design.
It's possible to connect to arbitrary ports using this HTTP/CONNECT
feature, sometimes also below port 1024.
An example looks like this:
$ telnet your.local.proxy 3128
Trying 1.2.3.4...
Connected to your.local.proxy.
Escape character is '^]'.
CONNECT wwwspecial.domain.example:44444 / HTTP/1.0

If you see the eicar.com test file in clear text, a second issue exists, if
you use a antivirus proxy software: It doesn't scan any traffic using
HTTP/CONNECT, even it's not encrypted.

If you can also connect to ports lower than 1024, a third issue is coming up.
Try it by using:
CONNECT mail.domain.example:25 / HTTP/1.0
If working, possible any ports from 1 to 65535 can be connected from inside
to outside and breaks perhaps your security policy.

Finally a connection request to port 80 using:
CONNECT www.domain.example:80 / HTTP/1.0
This should be normally not working, too.

Solutions:
1) Disable method CONNECT completely, if possible by software and security
policy (this will disable HTTPS traffic also)
2) Restrict ports which can be used for method CONNECT to e.g. 443 (https)
only (Squid-Cache-Software does this by default setting since some years
to ports 443 and 563 [NNTP over ssl] only)
3) Restrict outgoing traffic from the proxy to allowed ports only using local
or near-by firewalling (e.g. port 80 and 443 only).
4) If antivirus is bypassed, contact vendor for solution